Engine (ACE) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 2 Core Message To understand the architecture and flow management is to understanding how to troubleshoot the Application Control Engine 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 3 Session Objective At the End of the Session, You Will Be Able To: ACE Architecture Understand the ACE architecture and connectivity through ACE Verify software images, licenses and image recovery Use the real-time TCP-DUMP command Implement management traffic protection Understand access-list list on ACE Flow Management Understand the difference between L4 and L7 processing Check for possible asymmetric flows Understand high availability from the show commands Provide layer 7 troubleshooting Ability to monitor performance and troubleshoot resources 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 4 ACE Architecture Discuss the Architecture Functions of control plane and data plan Common debugging commands Packet Capturing on and logging Traffic Forwarding on ACE Management Traffic Protection Flow Management Connection Handling on ACE Health Monitoring on ACE High Availability on ACE Layer 7 Troubleshooting and Performance Session Agenda 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 5 ACE Architecture 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 6 ACE Module Hardware Architecture Switch Fabric Interface 16G Daughter Card 1 Daughter Card 2 8G 8G SSL Crypto 10G Network Processor 1 Network Processor 2 10G 10G 2G Classification Distribution Engine (CDE) Console port Sup Connect 100M Control Plane Data Plane 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 7 Network Processer Micro-Engines Receive + Fastpath(+ Transmit) IP Reassembly + Timers + Syslog Inbound Connection Manager Outbound Connection Manager Connection Close Management TCP HTTP Application fixups SSL Record Layer Static and user-configurable REGEX TCP Normalization + FixUps Rx Fast Path Fast Path Fast Path Fast Path Fast Path IP Frag Timers ICM OCM CCM TCP HTTP HTTP SSL Record RegEx FixUps TCP Norm. CPU Xscale 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 8 Separation of Data and Management Traffic Control-Path Device control Configuration manager (CLI, XML API, SSH, ) Server health monitoring (native probes, TCL scripts) SYSLOGs, SNMP, ARP, DHCP relay High-Availability Control path and data path run on separate processors Data-Path Connection management TCP termination Access lists SSL Offload Regular expression matching Load Balancing & forwarding 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 9 Traffic to the ACE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 10 Traffic Flow to the CDE The ACE has no native ports. The Switch Fabric Interface forwards packets to the CDE A packet comes in over the Switch Fabric Interface marked with the VLAN and the L2 information This is the TenGigabit Ethernet link (Te?/1, where ? is the slot number) Packets entering/leaving the ACE will traverse this link, using VLAN tagging to indicate the VLAN The CDE (Classification and Distribution Engine) fills out the IMPH header and forwards traffic to the appropriate blade subsystem (e.g., CP, NP1, NP2) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 11 Traffic Flow to the CDE - Continue The CDE hashes incoming packets to be forwarded to either NP1 or NP2 based on the following: TCP/UDP hash of source/destination port Non TCP/UDP IP hash on source/destination IP address NonIP hash on source/destination L2 MAC All forwarding is done on the NPs. These constitute two parallel forwarding paths which maintain independent connection state and forward independently 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 12 Traffic to the ACE Control Plane Traffic directed to the ACE itself is received on the Control Plan. Useful statistics are: Show netio stats and show fifo stats counting traffic into/out of the CP Show netio clients show applications which have registered to receive traffic from the CDE There are a number of useful context-specific commands These are for ACE terminated traffic, and do not measure traffic forwarded by the ACE!! show ip traffic show [protocol] statistics protocol can be arp, udp, tcp, icmp 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 13 ACE in a Nutshell 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 14 ACE in a Nutshell Cisco ACE provides many advanced load balancing features Features consisting of interface and application security, server offload, and application load balancing 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 15 Virtual Context Setup Virtual contexts are virtualized ACEs. Each virtual context has independent configuration and dedicated resources assigned. One context can pull resources from another Every ACE device contains a special virtual context called "Admin. It is recommended that you create separate virtual contexts for load balancing The capacity of each ACE virtual context is determined by its resource class 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 16 Common Debugging 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 17 Common Debugging VIP is not responding when trying to connect If you try ping the VIP you must configure loadbalance vip icmp-reply 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 18 Common Debugging Show command on the Catalyst 6500 Supervisor show ver si on show cl ock show modul e show power show asi c sl ot <n> show i nt er f ace TenGi gabi t Et her net <n>/ 1 show i nt er f ace TenGi gabi t Et her net <n>/ 1 t r unk show svcl c vl an- gr oup [ no] power enabl e <modul e> Make sure the module status is OK 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 19 Common Debugging Show command available on the ACE show ver si on show cl ock show f t gr oup st at us show i p i nt br show i nt vl an <n> show ar p show ser vi ce- pol i cy show ser ver f ar m show r ser ver show pr obe show conn show st at show i p t r af f i c show r esour ce usage show np 1 me- st at s - s nor m show np 1 me- st at s - s nor mM1 System Information L2, L3 Performance, Resources Debugging Flows L4, L7 This provides the DELTA 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 20 Looking at the Normalization counters Shows the DROP counters in Fast Path and TCP swi t ch/ Admi n# show np 1 me-stats "-s norm" | i Drop [ Dr ops] L2 i nval i d DA mac: 0 [ Dr ops] L4 por t i s zer o 0 [ Dr ops] TCP i nval i d conn mi ss f l ags: 0 [ Dr ops] TCP i nval i d f l ags: 0 [ Dr ops] TCP ur gent poi nt er deni ed: 0 [ Dr ops] TCP non- zer o r eser ved f i el d: 0 [ Dr ops] TCP syn dat a deni ed: 0 [ Dr ops] TCP non- syn opt i ons on syn: 0 [ Dr ops] TCP syn opt i ons on non- syn: 0 [ Dr ops] TCP no of deni ed opt i ons: 0 [ Dr ops] TCP opt i on l engt h wr ong: 0 [ Dr ops] f p TCP i nval i d ack i n syn- ack: 0 [ Dr ops] f p TCP i nval i d ack f or syn- ack: 0 [ Dr ops] f p TCP ack past seq: 0 [ Dr ops] f p TCP wi ndow l ef t edge: 0 [ Dr ops] f p TCP wi ndow r i ght edge: 0 [ Dr ops] f p TCP dat a past FI N: 0 [ Dr ops] f p TCP FI N has wr ong seq: 0 [ Dr ops] f p TCP RST has wr ong seq: 0 [ Dr ops] f p TCP RST has wr ong ack: 0 [ Dr ops] f p TCP ack > FI N_ACK exp: 0 [Drops] fp TCP exceeded MSS: 18 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 21 Show Module from the Catalyst 6500 Supervisor cat 6k#show mod Mod Ports Card Type Model Ser i al No. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 1 Application Control Engine 10G Module ACE10-6500-K9 SAD09350804 2 48 48 por t 10/ 100 mb RJ 45 WS- X6348- RJ - 45 SAD04450L44 5 2 Super vi sor Engi ne 720 ( Act i ve) WS- SUP720- 3BXL SAD08300D5L Mod MAC addresses Hw Fw Sw St at us - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 0001.0002.0003 to 0001.0002.000a 0.504 8.6(0.252-En 3.0(0)A1(2) Ok 2 00d0. d32e. 1b42 t o 00d0. d32e. 1b71 1. 5 5. 4( 2) 8. 5( 0. 46) RFWOk 5 000f . f 7be. b17c t o 000f . f 7be. b17f 4. 0 8. 1( 3) 12. 2( PP_R31_ Ok Mod Sub-Module Model Ser i al Hw St at us - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5 Pol i cy Feat ur e Car d 3 WS- F6K- PFC3BXL SAD083006N2 1. 3 Ok 5 MSFC3 Daught er boar d WS- SUP720 SAD082905VE 2. 1 Ok Mod Online Diag Status - - - - - - - - - - - - - - - - - - - - - - - 1 Pass 2 Pass 5 Pass Module status shows OK 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 22 Verifying Version and Licenses swi t ch/ Admi n# show version Ci sco Appl i cat i on Cont r ol Sof t war e ( ACSW) Software l oader : Ver si on 12. 2[ 118] syst em: Ver si on A2( 1. 0) [ build 3.0(0)A2(1.0) syst emi mage f i l e: [ LCP] di sk0: c6ace- t 1k9- mz. A2_1. bi n i nst al l ed l i cense: ACE-08G-LIC ACE-VIRT-250 ACE-SSL-15K-K9 Hardware Cisco ACE (slot: 1) cpu i nf o: number of cpu( s) : 2 cpu t ype: Si Byt e cpu: 0, model : Si Byt e SB1 V0. 2, speed: 700 MHz cpu: 1, model : Si Byt e SB1 V0. 2, speed: 700 MHz Installed Licenses 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 23 Available System Memory and Uptime swi t ch/ Admi n# show version Continuation of output [ . . . ] memory info: total: 958004 kB, free: 335372 kB shar ed: 0 kB, buf f er s: 3540 kB, cached 0 kB cf info: f i l esyst em: / dev/ cf t ot al : 499744 kB, used: 447136 kB, avai l abl e: 52608 kB last boot reason: r el oad command by admi n conf i gur at i on r egi st er : 0x1 ACE kernel uptime is 7 days 23 hours 42 minute(s) 25 second(s) Displays ACE module uptime 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 24 What Licenses Are Installed View the current licenses installed swi t ch/ Admi n# show license ACE- 250CTX- 08G- SSL- 15K. l i c: SERVER t hi s_host ANY VENDOR ci sco INCREMENT ACE-08G-LIC ci sco 1. 0 per manent 1 \ VENDOR_STRI NG=<count >1</ count > HOSTI D=ANY \ NOTI CE="<Li cFi l eI D>20060523161924670</ Li cFi l eI D><Li cLi neI D>1 </ Li cLi neI D> <PAK></ PAK>" SI GN=76DA7526434A INCREMENT ACE-SSL-15K-K9 ci sco 1. 0 per manent 1 \ VENDOR_STRI NG=<count >1</ count > HOSTI D=ANY \ NOTI CE="<Li cFi l eI D>20060523161924670</ Li cFi l eI D><Li cLi neI D>7 </ Li cLi neI D> <PAK></ PAK>" SI GN=1077701CF92C INCREMENT ACE-VIRT-250 ci sco 1. 0 per manent 1 \ VENDOR_STRI NG=<count >1</ count > HOSTI D=ANY \ Shows the license file installed 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 25 Installing New Licenses on ACE Copy license file to disk0: on the ACE swi t ch/ Admi n# dir disk0: 636 Apr 17 16: 04: 04 2007 ACE- 250CTX- 08G- SSL- 20K. l i c 236 Apr 17 16: 06: 54 2007 ACE-16G-LIC.lic swi t ch/ Admi n# license ? i nst al l I nst al l t he l i cense uni nst al l Uni nst al l t he l i cense updat e Updat e exi st i ng l i cense License commands available on the ACE License commands available on the ACE. Reload only required when increase throughput on the ACE10 swi t ch/ Admi n# l i cense i nst al l di sk0: ACE-16G-LIC.lic I nst al l i ng l i cense. . . done 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 26 ACE File System Use the dir command to view directory listing for files swi t ch/ Admi n# dir ? cor e: Di r ect or y or f i l ename di sk0: Di r ect or y or f i l ename i mage: Di r ect or y or f i l ename pr obe: Di r ect or y or f i l ename vol at i l e: Di r ect or y or f i l ename The internal File system is mapped as below / mnt / cf - I mage: Also the following compressed file systems are used / TN- HOME = di sk0: / TN- CONFI G = St ar t up conf i g / TN- LOGFI LE = I nt er nal St or age f or audi t l ogs / TN- CERTKEY- STORAGE : i nt er nal st or age f or Cer t and Keys / TN- COREFI LE = cor e: 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 27 ACE File System Load debug plug-in to access ACE file system Startup configuration located at /mnt/cf/TN-CONFIG ACE will generate / fix any missing or corrupted file systems during boot When to use the format command? If you receive the following error Warning!! This will erase everything in the compact flash including startup configs for all the contexts and reboot the system!! swi t ch/ Admi n# write memory ERROR! conf i g f i l esyst emi s not mount ed on compact f l ash 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 28 Working with Core Files If ACE creates a core file you can locate the files from the core directory All cores files are stored in dir core: (core names are self explanatory) swi t ch/ Admi n# dir core: 99756 Apr 5 17: 57: 05 2007 i xp2_cr ash. t xt 13047 Apr 5 17: 56: 59 2007 l oadBal ance_cor e_l og. t ar . g Ixpx_crash.txt will have some details on the core dump If it is a kernel crash , then a file named crashinfo wil be available in core: Show version wil show last reload reason 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 29 Invoke Context To display the context running configuration information from the Admin context, use the invoke context command invoke context context_name show running-config swi t ch/ Admi n# invoke context BreakingPoint show running- config write memory Gener at i ng conf i gur at i on. . . . swi t ch/ Admi n# invoke context Exchange2010 show running- config | include 192.168.1.1 Gener at i ng conf i gur at i on. . . . i p addr ess 192. 168. 1. 11 i p addr ess 192. 168. 1. 12 al i as 192. 168. 1. 1 255. 255. 255. 0 Sandbox- Pod2- ACE20- 1/ Admi n# 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 30 System Logging 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 31 Logging Features Each virtual context generates logs independently and send to specified destinations Syslog server, console, telnet/ssh, buffer, flash, supervisor, SNMP, NAT Rate limiting of syslog messages is recommended. Never log to the console using level 7 ACE will log connection setup/teardown at the connection speed Access-List deny entries are logged Use the terminal monitor command to display log message when not using console Useful commands to troubleshoot syslogging: show logging statistics show logging queue | last 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 32 Basic Configuration to Enable Logging Enable logging on the ACE logging enable logging monitor 7 no logging message 111008 no logging message 111009 logging timestamp do terminal monitor It is recommended to disable or changing the severity level of some syslog messages. Use logging message syslog_id [level severity_level] command To enable the logging of connection setup and teardown messages, use the logging fastpath command. Use the logging rate-limit to limit the rate at which the ACE generates messages in the syslog 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 33 Real-Time TCP Dump 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 34 Real-Time TCP Dump Supportability and analysis of load balanced traffic is a major requirement in today's load balanced environment ACE can capture real-time packet information for the network traffic that passes through the ACE The attributes of the packet capture are defined by an ACL The ACE buffers the captured packets, and you can copy the buffered contents to a file in flash memory on the ACE or to a remote server User can also display the captured packet information on your console or terminal; capture can also be exported to capture to Ethereal 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 35 Real-Time TCP Dump To enable the packet capture on ACE use the capture command capture c1 interface vlan 211 access-list FILTER bufsize 64 Buffer in Kbytes (can be circular) Pre-defined ACL to identify relevant traffic Interface to apply capture One capture session per context Capture triggered at flow setup Capture configured on client interface where flow is received 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 36 Real-Time TCP Dump ACE can capture traffic based on a configured access-list and interface Follow the following procedure to capture traffic on ACE: 1. Specify an ACL 2. Capture on an interface or globally access-list FILTER line 10 extended permit tcp any any eq www capture c1 interface vlan 211 access-list FILTER Show capture status show status and buffer size swi t ch/ Admi n# show capture c1 status Capt ur e sessi on : c1 Buffer size : 64 K Ci r cul ar : no Buf f er usage : 1. 00% Status : stopped 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 37 Real-Time TCP Dump Start the capture on the ACE swi t ch/ Admi n# capture c1 start 23:40:37.236868 0: 12: 43: dc: 93: bb 0: 0: c: 7: ac: a 0800 58: 172. 16. 11. 190. 443 > 209. 165. 201. 11. 1180: S 1389739009: 1389739009( 0) ack 617249474 wi n 17408 <mss 1460> ( t t l 255, i d 2401, l en 44, bad cksum0! ) 23:40:37.239102 0: 12: 43: dc: 93: bb 0: 0: c: 7: ac: a 0800 54: 172. 16. 11. 190. 443 > 209. 165. 201. 11. 1180: . ack 71 wi n 17408 ( t t l 255, i d 2402, l en 40, bad cksum0! ) swi t ch/ Admi n# capture c1 stop To copy the packet capture to disk0: use the copy capture swi t ch/ Admi n# copy capture c1 disk0: c1 Maximum buffer size is 5MB of data 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 38 Traffic Forwarding on ACE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 39 ACE Load Balancer Policy Lookup Order There can be many features applied on a given interface, so feature lookup ordering is important The feature lookup order followed by datapathin ACE is as follows: 1. Access-control (permit or deny a packet) 2. Management traffic 3. TCP normalization/connection parameters 4. Server load balancing 5. Fix-ups/application inspection 6. Source NAT 7. Destination NAT The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 40 ACE in Router Mode IP subnets cannot overlap within a context but can across two contexts Non-Load balanced traffic is routed. ACE needs to ARP for destination before forwarding packet Client MAC ACE MAC Client IP VIP Random Port VIP Port ACE MAC Selected Server MAC Client IP Server IP Random Port Server Port 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 41 ACE in Bridge Mode Non-Load balanced connection are bridged from client to server vlan Client MAC ACE MAC Client IP VIP Random Port VIP Port Client MAC Selected Server MAC Client IP Server IP Random Port Server Port 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 42 Checking VLAN Configuration Show interface provides you with valuable information swi t ch/ Admi n# show interface vlan 211 vlan210 is up Har dwar e t ype i s VLAN MAC addr ess i s 00: 16: 36: f c: b3: 36 Virtual MAC address is 00:0b:fc:fe:1b:02 Mode : routed I P addr ess i s 172. 16. 10. 21 net mask i s 255. 255. 255. 0 FT st at us i s act i ve Descr i pt i on: WAN Si de MTU: 1500 byt es Last cl ear ed: never Al i as I P addr ess i s 172. 16. 10. 23 net mask i s 255. 255. 255. 0 Peer I P addr ess i s 172. 16. 10. 22 Peer I P net mask i s 255. 255. 255. 0 Assigned on the physical port, up on the physical port 499707 uni cast packet s i nput , 155702918 byt es 1485258 mul t i cast , 5407 br oadcast 0 i nput er r or s, 0 unknown, 0 i gnor ed, 0 uni cast RPF dr ops 497610 uni cast packet s out put , 46804782 byt es 6 mul t i cast , 8201 br oadcast 0 out put er r or s, 0 i gnor ed 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 43 MAC Addresses Virtual MAC (VMAC) is used for the alias IP, VIP address Alias IP and Virtual IP (VIP) are associated with a VMAC only if high availability is configured Active context responds to ARPs for alias IP with VMAC One unique VMAC per FT Group 00:0b:fc:fe:1b:XX (XX=FT group number in hex) Packets destined to the VMAC are blocked on standby context 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 44 MAC Addresses The VMAC is a function of ft-group-id. Therefore different cards must have different ft-group-ids Use the show interface internal iftable to locate the VMAC Each ACE supports 1,024 shared VLANs, and uses only one bank of MAC addresses randomly selected at boot time ACEs may select the same address bank so avoid this conflict use the shared-vlan-hostid command 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 45 Key Things to Know About ARP on ACE For unicast packets, if the destination MAC is unknown ACE will drop the packet, instead of flooding it So IP-address-to-MAC mapping and outgoing interface needs to happen first ARP entries are populated as follows: With ARP requests Learning through incoming ARP requests Gratuitous ARP packets Layer 2 mode: No MAC learning So ARP is the way to learn IP to MAC and interface mapping 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 46 How to Read the ARP Table Each virtual context maintains its own ARP table swi t ch/ Admi n# show arp Context Exchange ======================================================================= I P ADDRESS MAC-ADDRESS I nt er f ace Type Encap Next Ar p( s) Status ======================================================================= 172. 16. 11. 1 00. 00. 0c. 07. ac. 0a vl an211 GATEWAY 226 87 sec up 172. 16. 11. 19 00. 12. 43. dc. 83. bb vl an211 I NTERFACE LOCAL _ up 172. 16. 11. 190 00. 12. 43. dc. 83. bb vl an211 VSERVER LOCAL _ up 192. 168. 1. 1 00. 0a. b8. 66. 60. 85 vl an411 I NTERFACE LOCAL _ up 192. 168. 1. 11 00.50.56.12.11.01 vl an411 RSERVER 230 87 sec up 192. 168. 1. 12 00. 50. 56. 12. 11. 01 vl an411 RSERVER 229 87 sec up 192. 168. 20. 254 00. 0a. b8. 66. 60. 85 bvi 2 I NTERFACE LOCAL _ up ================================================================== Total arp entries 11 ARP table shows the type of ARP entry from Gateway, Interface, VSERVER, RSERVER 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 47 Admin Context Resource Reservation 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 48 Admin Context Resource Reservation If Admin context is not configured correctly admin could be starved of all resources When configuring resource allocations in ACE, it is possible to allocate 100% of resources to non-Admin contexts, so that the Admin context is no longer reachable via ICMP, telnet, SNMP, etc It also appears that in some cases this will cause FT between a pair of HA ACE modules to fail, and create an active/active situation Highly recommended to put some safe guard in place to ensure that the Admin context always receives at least a small percentage of resources 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 49 Admin Context Resource Reservation Shows starved admin context swi t ch/ Admi n# show arp Context Admin ============================================================================= I P ADDRESS MAC- ADDRESS I nt er f ace Type Encap Next Ar p( s) St at us ============================================================================= 10. 87. 102. 225 00.00.00.00.00.00 vl an621 GATEWAY - * 2 r eq up 10. 87. 102. 229 00. 0b. f c. f e. 1b. 01 vl an621 ALIAS LOCAL _ up 10. 87. 102. 230 00. 0a. b8. 71. 2f . ef vl an621 INTERFACE LOCAL _ up 172. 16. 0. 1 00. 0a. b8. 71. 2f . ef vl an999 INTERFACE LOCAL _ up 172. 16. 0. 2 00. 05. 9a. 3b. 92. e9 vl an999 LEARNED 18 * 2 r eq up ============================================================================= Tot al ar p ent r i es 5 swi t ch/ Admi n# ping 10.87.102.225 Pi ngi ng 10. 87. 102. 225 wi t h t i meout = 2, count = 5, si ze = 100 . . . . No r esponse r ecei ved f r om10. 87. 102. 225 wi t hi n l ast 2 sec No r esponse r ecei ved f r om10. 87. 102. 225 wi t hi n l ast 2 sec 2 packet sent , 0 r esponses r ecei ved, 100% packet loss Unable to reach ACEs default gateway 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 50 Admin Context Resource Reservation Shows starved resources and drops for throughput swi t ch/ Admi n# show resource usage context Admin Al l ocat i on Resour ce Cur r ent Peak Mi n Max Deni ed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Context: Admin conc- connect i ons 9 9 0 0 0 mgmt - connect i ons 2 12 0 0 0 pr oxy- connect i ons 0 0 0 0 0 xl at es 0 0 0 0 0 bandwidth 0 4715 0 0 3704068 throughput 0 4247 0 0 3704068 mgmt-traffic rate 0 468 0 125000000 0 connect i on r at e 0 7 0 0 8 ssl - connect i ons r at e 0 0 0 0 0 mac- mi ss r at e 0 1 0 0 0 i nspect - conn r at e 0 0 0 0 0 acl - memor y 26816 26880 0 0 0 st i cky 0 0 0 0 0 r egexp 0 0 0 0 0 sysl og buf f er 1024 4096 0 1024 0 sysl og r at e 0 7 0 0 118 No resources reserved 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 51 Admin Context Resource Reservation Shows heartbeats missed increasing. Heartbeats are not reaching the peer. Possibility for both Aces to go Active/Active swi t ch/ Admi n# sh ft stats HA Hear t beat St at i st i cs - - - - - - - - - - - - - - - - - - - - - - - - Number of Hear t beat s Sent : 1095573 Number of Hear t beat s Recei ved : 1095239 Number of Heartbeats Missed : 2987 Number of Uni di r ect i onal HB' s Recei ved : 2640 Number of HB Ti meout Mi smat ches : 0 Numof Peer Up Event s Sent : 1 Numof Peer Down Event s Sent : 1 Successi ve HB' s mi ss I nt er val s count er : 0 Successi ve Uni HB' s r ecv count er : 0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 52 Admin Context Resource Reservation Below shows the problem why ACE is starved of all resources r esour ce- cl ass admi n l i mi t - r esour ce al l minimum 0.10 maxi mumequal-to-min Suggest the following reserved resources for Admin r esour ce- cl ass Admi n l i mi t - r esour ce conc- connect i ons min 5.00 max equal-to-min l i mi t - r esour ce mgmt - connect i ons min 5.00 max equal-to-min l i mi t - r esour ce r at e bandwi dt h min 5.00 max equal-to-min l i mi t - r esour ce r at e ssl - connect i ons min 5.00 max equal-to-min l i mi t - r esour ce r at e mgmt - t r af f i c min 5.00 max equal-to-min l i mi t - r esour ce r at e conc- connect i ons min 5.00 max equal-to-min 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 53 Access-Control Lists 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 54 ACL Merge Process and Enhancements New ACL merge enhancements added to the ACE ACL merge is responsible for merging all the features and generating a single merged list for an given interface. ACL compiler is responsible for programming the merged list into MTrie data structure Fast retrieval of data ACL memory usage has been optimized to better support incremental changes The new implementation provides a consistent ACL memory usage during system bootup time and during incremental changes after the system comes up This feature also provides an early detection of failure if the configuration needs more ACL resources than what system can support 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 55 View Total Action Nodes Use the show np 1 access-list resource to view action nodes swi t ch/ Admi n# show np 1 access-list resource ACL Tr ee St at i st i cs f or Cont ext I D: 3 ======================================= ACL memor y max- l i mi t : None ACL memor y guar ant ee: 0. 00 % MTr i e nodes( used/ guar ant eed/ max- l i mi t ) : 6 / 0 / 262143 ( compr essed) 2 / 0 / 21999 ( uncompr essed) Leaf Head nodes ( used/ guar ant eed/ max- l i mi t ) : 3 / 0 / 262143 Leaf Par amet er nodes ( used/ guar ant eed/ max- l i mi t ) : 7 / 0 / 524288 Policy action nodes used: 4 memor y consumed: 4696 byt es r esour ce- l i mi t ed 128 byt es ot her 4824 byt es t ot al . mi n- guar ant ee: 0 byt es t ot al . max- l i mi t : 78610432 byt es t ot al , 0 %consumed The total policy action nodes counts for ACE: ACE Module - 200k ACE 4710 Appliance - 40k 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 56 Troubleshooting Secure Socket Layer (SSL) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 57 Troubleshooting SSL Configuration of SSL on ACE is relatively simply. However if you experience issue how do you troubleshoot? Make sure the certificate and key used in ssl-proxy are valid. Use the crypto verify command swi t ch/ Admi n# crypto verify RSA2048.key RSA2048.cert Keypai r i n RSA2048. key matches cer t i f i cat e i n RSA2048. cer t Check the size and location of the key. Use the show crypto key command swi t ch/ Admi n# show crypt key all Fi l ename Bi t Si ze Type - - - - - - - - - - - - - - - - - - - - RSA2048.key 2048 RSA 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 58 Troubleshooting SSL Looking at the certificate details. Use the show crypto certificate command swi t ch/ Admi n# show crypto certificate cisco-sample-cert Cer t i f i cat e: Dat a: Version: 3 ( 0x2) Ser i al Number : ad: e4: e2: f 1: 50: b7: ce: bd Si gnat ur e Al gor i t hm: sha1Wi t hRSAEncr ypt i on Issuer: C=I N, ST=KA, L=BLR, O=CI SCO, OU=ADBU, CN=SSL- TEST Validity Not Bef or e: Apr 3 09: 50: 55 2009 GMT Not Af t er : Apr 1 09: 50: 55 2019 GMT Subject: C=I N, ST=KA, L=BLR, O=CI SCO, OU=ADBU, CN=SSL- TEST Subject Public Key Info: Publ i c Key Al gor i t hm: r saEncr ypt i on RSA Public Key: ( 1024 bi t ) Modul us ( 1024 bi t ) : 00: cf : a2: 60: 66: 5b: ce: b6: 38: 6f : 94: df : 0d: 1c: 61: 26: af : 7a: 05: 49: ed: 8d: 93: 3b Exponent : 65537 ( 0x10001) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 59 Troubleshooting SSL CRL Download Check to make sure you can download the CRL swi t ch/ Admi n( conf i g- ssl - pr oxy) # do show crypto crl test2 detail t est 2: URL: ht t p: / / 119. 60. 60. 23/ t est . cr l Last Downl oaded ( Cached) : Sat Aug 8 16: 14: 24 2009 UTC Total Number Of Download Attempts: 1 Failed Download Attempts: 0 Successful Loads: 1 Fai l ed Loads: 0 Hour s si nce Last Load: 0 No I P Addr Resol ut i ons: 0 Host Ti meout s: 0 Next Updat e I nval i d: 0 Next Updat e Expi r ed: 0 Bad Si gnat ur e: 0 CRL Found- Fai l ed t o l oad: 0 Fi l e Not Found: 0 Memor y Out age f ai l ur es: 0 Cache Li mi t f ai l ur es: 0 Conn f ai l ur es: 0 I nt er nal f ai l ur es: 0 Not El i gi bl e f or downl oad: 3 HTTP Read f ai l ur es: 0 HTTP Wr i t e f ai l ur es: 0 Looking for all best-effort CRLs in the system and their download status. Use the show crypto crl best-effort command 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 60 Advanced SSL Debugging This command provides the current crypto statistics swi t ch/ Admi n# sh np 1 me-stats "-s crypto Cr ypt o St at i st i cs: ( Cur r ent ) - - - - - - - - - - - - - - - - - - ARC4 oper at i ons: 376572 0 TCP msgs r ecei ved: 285260 0 APP msgs r ecei ved: 235151 0 Ni t r ox messages f or war ded t o XScal e: 381041 0 SSL ct x al l ocat ed: 47758 0 SSL ct x f r eed: 47758 0 SSL r ecei ved byt es: 61070430 0 SSL t r ansmi t t ed byt es: 283256220 0 SSL r ecei ved appl i cat i on byt es: 7679113 0 SSL t r ansmi t t ed appl i cat i on byt es: 275120867 0 SSL r ecei ved non- appl i cat i on byt es: 53391317 0 SSL t r ansmi t t ed non- appl i cat i on byt es: 3292887 0 Bul k f l ush oper at i ons: 95037 0 ME r ecor ds sent t o XScal e: 285808 0 ME r ecor ds r ecei ved f r omXScal e: 47723 0 ME hw r esponses: 471516 0 Fi r st segment s r ecei ved: 47400 0 Handshake failure alert: 94 0 CM cl ose: 446 0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 61 Advanced SSL Debugging The show stats crypto server command provides statistics of the SSL handshake swi t ch/ Admi n# show stats crypto server +- - - - Cr ypt o ser ver t er mi nat i on st at i st i cs - - - - - + +- - - - - - - Cr ypt o ser ver al er t st at i st i cs - - - - - - - - + +- - - Cr ypt o ser ver aut hent i cat i on st at i st i cs - - - + +- - - - - - - Cr ypt o ser ver ci pher st at i st i cs - - - - - - - + +- - - - - - Cr ypt o ser ver r edi r ect st at i st i cs - - - - - - + +- - - - Cr ypt o ser ver header i nser t st at i st i cs - - - + These statistics provide details of the SSL packets for example; which version client interacted with ACE, which cipher is used, whether re-handshake happened, whether session id reuse happened and which SSL alerts are received or sent by ACE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 62 Connection Handling on ACE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 63 Flow Management Level of Flow Processing Type of Processing Feature of Function Layer 3 and Layer 4 Balance of first packet Basic Load Balancing Applies to TCP/UDP for layer 4 rules Source IP Sticky Applies to all other IP protocols TCP/IP Normalization Select server or farm based on source IP Layer 7 TCP Splicing Terminate TCP Connection HTTP Layer 7 rules of first request (URL LB) Buffer request, inspect, LB Cookie Sticky (Persistence) Create Hardware Shortcut Generic TCP Payload Parsing Layer 7 Re-proxy TCP Splicing +ability to parse subsequent HTTP requests within the same TCP HTTP Layer 7 rules with HTTP 1.1 connections keepalive (persistence rebalance) Layer 7 Full-Proxy Fully terminate clients connection SSL Offload TCP re-use HTTP 1.1 Pipelining Protocol Inspection (FTP,SIP) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 64 Internal Mapping of TCP/UDP Flows TCP and UDP Flows = 2 X Internal Half Flows swi t ch/ Admi n# show conn conn-id np dir proto vlan source destination stat -------------+--+----+--------+-----+--------------------------+-------------------------------+---------+ 9 1 In TCP 211 209.165.201.11:1867 172.16.11.190:80 ESTAB 6 1 Out TCP 411 192.168.1.11:80 209.165.201.11:1867 ESTAB Client IP:port VIP Address Server IP Returning half flow automatically created for both TCP and UDP flows INIT, SYNACK, ESTAB, CLOSED SYN_SEEN, SYN_SEEN, ESTAB, CLOSED Non TCP shows as -- Use conn-id to track flow through ACE Check the Network Processor 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 65 Troubleshooting Connections Use the show stats connection command to show connections statistics. Use the clear stats connection command to clear these counters swi t ch/ Admi n# show stats connection +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +- - - - - - - Connection statistics - - - - - - - - - - - - + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Tot al Connect i ons Cr eat ed : 288232 Total Connections Current : 2 Total Connections Destroyed: 283404 Total Connections Timed-out: 892 Total Connections Failed : 3934 Note: ACE does not destroy connection. These are connections closed correctly!!! 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 66 Troubleshooting Connections Use the show stats loadbalance command to view the loadbalance statistics To clear the load balance statistical information stored in the ACE buffer, use the clear stats loadbalance command swi t ch/ Admi n# show stats loadbalance +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +- - - - - - - Loadbal ance st at i st i cs - - - - - - - - - - - - - - - - - - - - - - + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Tot al ver si on mi smat ch : 0 Total Layer4 decisions : 0 Total Layer4 rejections : 0 Total Layer7 decisions : 24 Tot al Layer 7 r ej ect i ons : 0 Tot al Layer 4 LB pol i cy mi sses : 0 Tot al Layer 7 LB pol i cy mi sses : 0 Tot al t i mes r ser ver was unavai l abl e : 0 Tot al ACL deni ed : 0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 67 Troubleshooting VIP swi t ch/ Admi n# show service-policy client-vips detail St at us : ACTI VE Descr i pt i on: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Interface: vlan 211 ser vi ce- pol i cy: cl i ent - vi ps cl ass: VI P- HTTPS VI P Addr ess: Pr ot ocol : Por t : 172.16.11.190 tcp eq 443 l oadbal ance: L7 l oadbal ance pol i cy: HTTPS- POLI CY VI P Rout e Met r i c : 77 VI P Rout e Adver t i se : DI SABLED VI P I CMP Repl y : ENABLED- WHEN- ACTI VE VIP State: INSERVICE curr conns : 22 , hit count : 22 dr opped conns : 0 cl i ent pkt count : 0 , cl i ent byt e count : 0 ser ver pkt count : 0 , ser ver byt e count : 0 max- conn- l i mi t : 0 , dr op- count : 0 conn- r at e- l i mi t : 0 , dr op- count : 0 bandwi dt h- r at e- l i mi t : 0 , dr op- count : 0 L7 Loadbal ance pol i cy : HTTPS- POLI CY cl ass/ mat ch : cl ass- def aul t LB act i on : pr i mar y ser ver f ar m: backend- ssl backup ser ver f ar m: - hit count : 22 dr opped conns : 0 First command you show use view connection to VIP 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 68 Troubleshooting Serverfarm swi t ch/ Admi n# show serverfarm HTTPS-FARM detail ser ver f ar m : HTTPS- FARM, t ype: HOST t ot al r ser ver s : 4 act i ve r ser ver s: 4 descr i pt i on : - state : ACTIVE predictor : ROUNDROBIN f ai l act i on : - back- i nser vi ce : 0 par t i al - t hr eshol d : 0 numt i mes f ai l over : 0 numt i mes back i nser vi ce : 0 t ot al conn- dr opcount : 0 - - - - - - - - - - connect i ons- - - - - - - - - - - r eal wei ght st at e cur r ent t ot al f ai l ur es - - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - - rserver: linux-1 192.168.1.11:0 8 OPERATIONAL 0 0 0 max- conns : - , out - of - r ot at i on count : - mi n- conns : - conn- r at e- l i mi t : - , out - of - r ot at i on count : - bandwi dt h- r at e- l i mi t : - , out - of - r ot at i on count : - r et code out - of - r ot at i on count : - Best command for checking server status and load 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 69 Layer 7 Troubleshooting 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 70 Layer 7 Policy Hits Expanding the show service-policy using the detail option to provide hit count for layer 7 matches swi t ch/ Admi n# show service-policy client-vips detail St at us : ACTI VE Descr i pt i on: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Interface: vlan 211 ser vi ce- pol i cy: cl i ent - vi ps L7 Loadbal ance pol i cy : psl b class-map : cur l 1 LB act i on : ser ver f ar m: s1 hit count : 3 dr opped conns : 0 class-map : cur l 2 LB act i on : ser ver f ar m: s2 hit count : 0 dr opped conns : 0 Shows hit count for layer 7 load balanced policy 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 71 Match URL Hit Count Expanding the show service-policy using the url- summary option to provide visibility on which match http url are getting hit swi t ch/ Admi n# show service-policy url-summary Ser vi ce- Pol i cy: VI RTUAL- HOSTI NG- 01 L3- Cl ass: WEB- SSL L7-Class: A1 mat ch ht t p ur l / ECBACCOUNTI NQUI RY_V5/ . * hit: 42 Ser vi ce- Pol i cy: VI RTUAL- HOSTI NG- 01 L3- Cl ass: WEB- SSL L7-Class: A2 mat ch ht t p ur l / AADSLI CER/ . * hit: 93 mat ch ht t p ur l / ANALYSI SHELP/ . * hit: 102 mat ch ht t p ur l / BOXI R2/ . * hit: 67 mat ch ht t p ur l / BUSI NESSOBJ ECTS/ . * hit: 78 mat ch ht t p ur l / DSWSBOBJ E/ . * hit: 84 Use the show service-policy <service-policy-name> class-map <L3-class map-name> url-summary to provide better granularity 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 72 Troubleshooting HTTP Statistics To effectively troubleshoot HTTP use the show stat http command swi t ch/ Admi n# show stats http +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +- - - - - - - - - - - - - - HTTP statistics - - - - - - - - - - - + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + LB par se r esul t msgs sent : 6288 , TCP dat a msgs sent : 9143 I nspect par se r esul t msgs : 0 , SSL dat a msgs sent : 6041 TCP f i n/ r st msgs sent : 135 , Bounced f i n/ r st msgs sent : 19 SSL f i n/ r st msgs sent : 13 , Unpr oxy msgs sent : 0 Dr ai n msgs sent : 3107 , Par t i cl es r ead : 37917 Reuse msgs sent : 1539 , HTTP r equest s : 3145 Reproxied requests : 0 , Headers removed : 1549 Headers inserted : 1598 , HTTP redirects : 2 HTTP chunks : 0 , Pi pel i ned r equest s : 0 HTTP unpr oxy conns : 0 , Pi pel i ne f l ushes : 0 Whi t espace appends : 0 , Second pass par si ng : 0 Response ent r i es r ecycl ed : 3032 , Anal ysi s er r or s : 0 Header insert errors : 1509 , Max par sel en er r or s : 0 Static parse errors : 9 , Resour ce er r or s : 0 I nval i d pat h er r or s : 0 , Bad HTTP ver si on er r or s : 0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 73 Troubleshooting HTTP Cookies ACE parses HTTP requests for cookies with the name given in the configuration and can skip a certain number of bytes and look for another specific number of bytes. If the cookie is not found, then the ACE looks for a string in the URL, starting with one of the characters /?&#+ and followed by a "=", then parses that value. If no cookie or HTTP URL cookie exists ACE defaults to the predictor for that farm ACE can parse up to HTTP headers (includes cookies) up to 64kB (default header max parse length is 2048k) Make sure that the sticky timeout matches the session timeout on the application 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 74 Troubleshooting TCP Connection Re-Use When using TCP conn re-use,"Connection: keep-alive" is inserted and "Connection: close" is removed from the clients HTTP request, to avoid closing the server connection early User needs to create a layer 7 class-map and configure Source Nat when using TCP conn re-use cl ass- map t ype ht t p l oadbal ance mat ch- any L7- RE- USE 2 mat ch ht t p ur l . * Use the show stats http | include Reuse counters to check if see if TCP Re-uses is getting used swi t ch/ Admi n# show stats http | include Reuse Reuse msgs sent : 1 , HTTP r equest s : 4 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 75 Health Monitoring on ACE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 76 Fundamentals for ACE probing ACE probes are fundamental to the system. It is key to not oversubscribe the ACE health monitoring system Use the show resource internal socket to determine how many open sockets the ACE has open. This is a Admin command swi t ch/ Admi n# show resource internal socket Appl i cat i on MaxLi mi t Cur r ent Cr eat es Fr ees - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SYSTEM 4000 0 0 0 CRI TI CAL 50 0 0 0 AAA 256 0 0 0 MGMT 256 0 0 0 XI NETD 512 1 12 11 HEALTH_MON 2500 532 193494 192962 USER_TCL 200 0 0 0 SYSLOG 256 10 14 4 VSH 256 0 0 0 Over Al l - 650 194812 194162 Non Reg App Usage: 107 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 77 Health Monitoring Process If you see probing issues check the health monitoring process. The show proc cpu command provide very useful information swi t ch/ Admi n# show proc cpu CPU utilization for five seconds: 30%; one minute: 37%; five minutes: 35% PI D Runt i me( ms) I nvoked uSecs 1Sec 5 Sec 1 Mi n 5 Mi n Pr ocess 972 1072965 613352 1749 35.9 18.5% 21.67% 20.90% arp_mgr HM process is only consuming 1.40%. Why is the control plane CPU running at 30%? Check what process is running at 30% swi t ch/ Admi n# show proc cpu CPU utilization for five seconds: 30%; one minute: 37%; five minutes: 35% PI D Runt i me( ms) I nvoked uSecs 1Sec 5 Sec 1 Mi n 5 Mi n Pr ocess 987 90257 57805 1561 0. 0 1. 40% 1. 46% 1. 43% hm 988 90198 58952 1530 0. 0 1. 49% 1. 49% 1. 44% hm 989 851 2947 288 0. 0 0. 0 % 0. 1 % 0. 0 % hm 990 0 2 56 0. 0 0. 0 % 0. 0 % 0. 0 % hm 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 78 Health Monitoring on ACE Use the show probe detail command to determine the status of the probe or possible last failure swi t ch/ Admi n# show probe detail Cut output - - - - - - - - - - - - - - - - - - - - - pr obe r esul t s - - - - - - - - - - - - - - - - - - - - pr obe associ at i on pr obed- addr ess pr obes f ai l ed passed heal t h - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - r ser ver : CAS1 10. 7. 53. 55 24 24 0 FAILED Socket st at e : CLOSED No. Passed st at es : 0 No. Fai l ed st at es : 1 No. Pr obes ski pped : 0 Last status code : 403 No. Out of Socket s : 0 No. I nt er nal er r or : 0 Last di sconnect er r : Received invalid status code Last pr obe t i me : Wed Nov 25 18: 48: 16 2009 Last f ai l t i me : Wed Nov 25 18: 25: 16 2009 Last act i ve t i me : Never 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 79 High Availability on ACE 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 80 High Availability Basic building blocks FT PEER Only one FT peer per ACE device 1:1 peer relationship FT GROUP One FT group per ACE virtual context FT VLAN Designated VLAN between the redundant peers All HA related traffic sent over this VLAN FT VLAN can be trunked between two Catalyst 6500 Chassis Cannot be used for normal traffic Admin Context Context A Context B Context A Context B ACE2 (FT PEER) FT VLAN FT Group 2 FT Group 3 ACE1 (FT PEER) FT Group 1 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 81 High Availability Control Traffic TCP Connection between FT Peers State Machine (Election, Preempt, Relinquish) Configuration sync State Sync for ARP HA KeepAlives Heartbeats between FT peers Heartbeats are sent over UDP Monitors the health of the peer Heartbeat interval and count are configurable 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 82 ACE High Availability State Machine Active Standby Election (assuming both peers are initialized at same time) Based on a priority scheme Member with highest priority becomes ACTIVE Other member enters the STANDBY_CONFIG state If priorities are equal, member with the higher IP address wins STANDBY_CONFIG State Startup Configuration Sync from Active to Standby Running Configuration Sync from Active to Standby Knob to turn on/off 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 83 ACE High Availability State Machine STANDBY_BULK State ARP Sync (knob to turn on/off) Connection Table Sync Sticky Database Sync (knob to turn on/off) STANDBY_HOT State Standby FT group member is ready to take over Incremental Configuration Sync from Active to Standy Incremental State Sync from Active to Standby STANDBY_COLD State Due to error during Config Sync or Incremental Config Sync No Config or State Sync happens from Active to Standby 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 84 ACE High Availability State Machine Mismatch in software version FT Peer maybecome INCOMPATIBLE (SRG Check) ACTIVE ACTIVE state on both FT group members Mismatch in Virtual Context Licenses Configuration Sync (all types) for Admin context is disabled State Sync for Admin context will continue to happen For matching user contexts Configuration State Sync will work Mismatch in Other Licenses Configuration and State Sync will work After switchover, new Active will handle traffic as per its licenses 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 85 ACE Redundancy Query VLAN Query VLAN can be configured as an alternate path for pinging the peer when no heat beat is being received from redundant peer If configured, upon receiving a PEER_DOWN message from the heat beat process, the ACE data-plane tries to do a ping to the destination via the Query VLAN If Ping fails, the Standby will transition to the ACTIVE state If Ping succeeds, the Standby will transition to a STANDBY_COLD state To configure a query interface, enter the following: swi t ch/ Admi n( conf i g- f t - peer ) # query-interface vlan 110 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 86 Common Debugging - Concussion This session should provide you with some directions on where to start troubleshooting ACE!! 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 87 Recommended Reading 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 88 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Preferred Access points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 90 Appendix 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 91 Layer 4 Flow Setup SYN SYN_ACK Shortcut ACK Shortcut Data Shortcut Data Shortcut Matches Existing Flow Rewrites L2/L3/L4 Matches VIP Selects Server Rewrites L2/L3/L4 Basic Load Balancing Source IP sticky TCP/IP Normalization 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 92 Layer 7 Flow Setup Client Connects to L7 VIP SYN Starts Buffering ACK Data ACKs Client Packets Keeps Buffering Matches VIP w/L7 logic Chooses SEQ # Replies w/SYN_ACK HTTP L7 rules on first request (cookie sticky, URL parsing, ) Generic TCP payload parsing 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 93 Layer 7 Flow SetupContinue ACE Establishes Connection to Server Data SYN_ACK Empties Buffer Sends Data to Server Acts as Client Does Not Forward SYN_ACK Parses the Data Selects Server Initiates TCP 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 94 Layer 7 Flow SetupContinue ACE Splices the Flows (UNPROXY) ACK Data Shortcut ACK Shortcut Data Shortcut Matches Existing Flow Rewrites L2/L3/L4 and SEQ/ACK Does Not Forward ACK Ready to Splice the Flows 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 95 Layer 7 Flow Setup ACE Reproxies the Connection ACK Data ACK Data Shortcut
ACK
Shortcut Shortcut Shortcut Data REPROXY ACKs GET & Buffer
HTTP L7 rules with HTTP 1.1
connection keepalive ( persistence rebalance ) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003 96 Layer 7 Flow Setup ACE Acts as a Full Proxy F u l l
P r o x y I n d e p e n d e n t
c l i e n t
&
s e r v e r
c o n n e c t i o n s SYN SYN_ACK ACK Data GET/HTTP 1.1 ACK SYN SYN_ACK ACK DataGET ACK ACK Data Data HTTP/1.1 200 OK HTTP/1.1 200 OK Client connection Server connection